I'm writing you because my understanding is that BIS is currently in the process of considering implementation of the new Wassenaar controls related to "Intrusion Software." These controls have started to raise some concerns within the professional community associated with information security vulnerability research. I asked XXXXXXXXXXXXX who I might reach out to in order to provide some input and he suggested that I start by emailing the two of you.

I appreciate your time in reading this. I have some experience working with the EAR as a technical SME within export compliance programs at IBM and Internet Security Systems, and I have great deal of professional experience with security vulnerability research and coordination, so I believe I have sufficient experience to provide you with an informed perspective.

Although there are a number of different concerns that have been raised regarding these new controls, I want to focus my comments specifically on the Category 4.E.1.C controls on "technology" for the "development" of "intrusion software." I don't believe that the potential unintended consequences of the technology controls in particular have received enough emphasis in the comments that I have read to date by other parties.

Computer security professionals use the word "vulnerability" to refer to a flaw in a software system which allows another program, such as an "intrusion" program, to modify "the standard execution path of a program or process in order to allow the execution of externally provided instructions." A great deal of the work that we do in information security has to do with finding and fixing these vulnerabilities, and that work involves getting information about newly discovered vulnerabilities into the hands of people who are in a position to fix them before that information falls into the hands of computer criminals. The exchange of information about these vulnerabilities is the life blood of information security, and that exchange often happens behind closed doors, across international borders, and sometimes, in exchange for money.

Unfortunately, the technical information that you would provide another person about a security vulnerability if you wanted them to fix it is the exact same information that you would provide them if you wanted to enable them to write an "intrusion program" that exploits it. In fact, one of the jobs that I personally held at IBM and Internet Security Systems was to take information about vulnerabilities that was provided to us and use that information to implement a corresponding "intrusion program" so that we could verify that the vulnerability had been fixed properly.

Therefore, an export control on "technology" for the "development" of "intrusion software" may wind up also controlling the exchange of information needed to fix the flaws that "intrusion software" takes advantage of. Any export control regime that deters people from sharing that sort of information across international borders or that creates bureaucratic obstacles to doing so will reduce the likelihood that important information will find its way to people in a position to take action to protect Internet security. I'll add without providing a detailed explanation that exceptions for "basic scientific research" and "publicly available" information will not necessarily solve this problem.

In fact, this may already be having a chilling effect. Hewlett Packard operates an annual contest in Canada in which contestants are encouraged to demonstrate "intrusion software" that exploits new security vulnerabilities, in exchange for cash prizes. This contest is an important tool that the software industry uses to get information about security vulnerabilities "off of the street." The cash prizes offer people who discover these vulnerabilities a constructive alternative to selling the information on the black market, and HP takes the information they provide and works with other software companies to fix the underlying flaws. This year HP reportedly sent a letter to contestants warning them that bringing vulnerability information to the contest from outside of Canada may violate export controls, and each contestant should consult an attorney before doing so. [1]

BIS recently received a whitepaper on these new controls from an NGO called Access, written by Collin Anderson. [2] Mr. Anderson writes "An interpretation of Intrusion Software that includes standalone exploits or proof of concepts would stifle computer security research, particularly given the wide net that could be cast by the Technology control or deemed export rules... It is incumbent that export control authorities refrain from considering broad interpretations of Intrusion Software that might lead to attempts to regulate exploits or vulnerability sales."

While I certainly agree with Mr. Anderson's recommendation, even if the United States chooses to implement the Wassenaar Arrangement in such a way that technical information about vulnerabilities and exploits is not controlled here, this will only mean that American computer security researchers can provide this sort of information to foreign software companies without an export license or license exemption. The security of software products that are made here in the United States depends on the ability that American software developers have to receive information about security vulnerabilities from parties outside the United States. If those parties live in countries that have interpreted this part of the Wassenaar Arrangement broadly, computer security in the United States will be negatively impacted. Therefore, I believe this concern is broader in scope than how BIS chooses to implement the Wassenaar Arrangement. The implementation decisions made by other nation states will impact the software industry in the United States, and the security of the Internet on the whole.

Thank you, again, for taking the time to read my comments. I would be happy to answer any questions that you have about this matter or engage in further explanation if it would be helpful. A redacted copy of this email will be posted to my personal weblog as the matter is of interest to colleagues of mine. I will remove your names and email addresses from the letter before doing so.